CVE-2023-38343

7.5HIGH

Key Information:

Vendor: Ivanti
Status: Endpoint Manager
Vendor: CVE Published:; 21 September 2023

Summary

An XXE (XML external entity injection) vulnerability exists in the CSEP component of Ivanti Endpoint Manager before 2022 SU4. External entity references are enabled in the XML parser configuration. Exploitation of this vulnerability can lead to file disclosure or Server Side Request Forgery.

References

https://www.ivanti.com/releases

https://gist.github.com/bhyahoo/4772330b20057a271f77e690b...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 21, 2023
Vulnerability Reserved
Jul 15, 2023

Collectors

NVD DatabaseMitre Database